CVE-2025-5981: CWE-427 Uncontrolled Search Path Element in Google osv-scalibr
Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.
AI Analysis
Technical Summary
CVE-2025-5981 is a medium-severity vulnerability affecting version 0.1.3 of Google's OSV-SCALIBR, a tool used for analyzing and unpacking container images. The vulnerability is classified under CWE-427, which pertains to uncontrolled search path elements. Specifically, the flaw arises in the unpack() function when handling container images via the command-line interface flag --remote-image. An attacker supplying a crafted, untrusted container image can exploit a path traversal weakness to perform arbitrary file writes on the host system with the privileges of the OSV-SCALIBR user. This occurs because the unpack() function does not properly sanitize or restrict file paths extracted from the container image, allowing malicious paths to escape intended directories and overwrite or create files elsewhere on the host filesystem. The vulnerability requires local access with low privileges (PR:L), partial authentication (AT:P), and user interaction (UI:A), but the attack vector is local (AV:L), meaning the attacker must have some level of access to the host to invoke the vulnerable functionality. The impact on confidentiality is high due to potential overwriting of sensitive files, integrity impact is low, and availability impact is none. The scope is limited to the OSV-SCALIBR user context, and no privilege escalation is indicated. No known exploits are currently reported in the wild. The CVSS 4.0 vector score is 5.7, reflecting a medium severity rating. This vulnerability highlights the risks of processing untrusted container images without adequate path validation, which can lead to arbitrary file system modifications and potential compromise of the host environment where OSV-SCALIBR is deployed.
Potential Impact
For European organizations utilizing OSV-SCALIBR version 0.1.3, particularly in DevOps, container security, or software supply chain analysis workflows, this vulnerability poses a risk of arbitrary file writes on host systems. While the attack requires local access and user interaction, exploitation could allow attackers to modify critical files, implant malicious code, or disrupt container analysis processes. This can lead to compromised build pipelines, tampered security assessments, or persistence within development environments. Organizations relying on OSV-SCALIBR for container image security may face integrity risks to their software supply chain and potential exposure of sensitive data if configuration or credential files are overwritten. The medium severity rating suggests that while the vulnerability is not trivially exploitable remotely, the impact on confidentiality and integrity within affected environments is significant enough to warrant prompt remediation. Given the increasing reliance on containerized applications across European enterprises, especially in sectors like finance, manufacturing, and technology, the threat could disrupt critical development and deployment operations if left unaddressed.
Mitigation Recommendations
1. Upgrade OSV-SCALIBR to a patched version once available from Google, as no patch links are currently provided but should be prioritized upon release. 2. Until a patch is available, restrict usage of the --remote-image flag to trusted container images only, avoiding untrusted or external sources. 3. Implement strict access controls and monitoring on systems running OSV-SCALIBR to limit local user access and detect anomalous unpack() invocations. 4. Employ container image scanning and validation tools upstream to ensure images are free from path traversal payloads before analysis. 5. Use sandboxing or containerization to isolate OSV-SCALIBR runtime environments, minimizing the impact of arbitrary file writes. 6. Conduct regular audits of file system integrity on hosts running OSV-SCALIBR to identify unauthorized changes. 7. Educate DevOps and security teams about the risks of processing untrusted container images and enforce policies accordingly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Ireland
CVE-2025-5981: CWE-427 Uncontrolled Search Path Element in Google osv-scalibr
Description
Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.
AI-Powered Analysis
Technical Analysis
CVE-2025-5981 is a medium-severity vulnerability affecting version 0.1.3 of Google's OSV-SCALIBR, a tool used for analyzing and unpacking container images. The vulnerability is classified under CWE-427, which pertains to uncontrolled search path elements. Specifically, the flaw arises in the unpack() function when handling container images via the command-line interface flag --remote-image. An attacker supplying a crafted, untrusted container image can exploit a path traversal weakness to perform arbitrary file writes on the host system with the privileges of the OSV-SCALIBR user. This occurs because the unpack() function does not properly sanitize or restrict file paths extracted from the container image, allowing malicious paths to escape intended directories and overwrite or create files elsewhere on the host filesystem. The vulnerability requires local access with low privileges (PR:L), partial authentication (AT:P), and user interaction (UI:A), but the attack vector is local (AV:L), meaning the attacker must have some level of access to the host to invoke the vulnerable functionality. The impact on confidentiality is high due to potential overwriting of sensitive files, integrity impact is low, and availability impact is none. The scope is limited to the OSV-SCALIBR user context, and no privilege escalation is indicated. No known exploits are currently reported in the wild. The CVSS 4.0 vector score is 5.7, reflecting a medium severity rating. This vulnerability highlights the risks of processing untrusted container images without adequate path validation, which can lead to arbitrary file system modifications and potential compromise of the host environment where OSV-SCALIBR is deployed.
Potential Impact
For European organizations utilizing OSV-SCALIBR version 0.1.3, particularly in DevOps, container security, or software supply chain analysis workflows, this vulnerability poses a risk of arbitrary file writes on host systems. While the attack requires local access and user interaction, exploitation could allow attackers to modify critical files, implant malicious code, or disrupt container analysis processes. This can lead to compromised build pipelines, tampered security assessments, or persistence within development environments. Organizations relying on OSV-SCALIBR for container image security may face integrity risks to their software supply chain and potential exposure of sensitive data if configuration or credential files are overwritten. The medium severity rating suggests that while the vulnerability is not trivially exploitable remotely, the impact on confidentiality and integrity within affected environments is significant enough to warrant prompt remediation. Given the increasing reliance on containerized applications across European enterprises, especially in sectors like finance, manufacturing, and technology, the threat could disrupt critical development and deployment operations if left unaddressed.
Mitigation Recommendations
1. Upgrade OSV-SCALIBR to a patched version once available from Google, as no patch links are currently provided but should be prioritized upon release. 2. Until a patch is available, restrict usage of the --remote-image flag to trusted container images only, avoiding untrusted or external sources. 3. Implement strict access controls and monitoring on systems running OSV-SCALIBR to limit local user access and detect anomalous unpack() invocations. 4. Employ container image scanning and validation tools upstream to ensure images are free from path traversal payloads before analysis. 5. Use sandboxing or containerization to isolate OSV-SCALIBR runtime environments, minimizing the impact of arbitrary file writes. 6. Conduct regular audits of file system integrity on hosts running OSV-SCALIBR to identify unauthorized changes. 7. Educate DevOps and security teams about the risks of processing untrusted container images and enforce policies accordingly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Date Reserved
- 2025-06-10T12:31:04.353Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68527d9ba8c9212743879169
Added to database: 6/18/2025, 8:49:31 AM
Last enriched: 6/18/2025, 9:04:39 AM
Last updated: 8/17/2025, 2:15:58 PM
Views: 18
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.